#!/bin/bash
set -e
# 获取当前脚本所在的绝对路径
# 用于确保脚本可以找到同目录下的文件（如 openvpn.env 等）
curdir=$(cd "$(dirname -- "$0")" && pwd -P)

set timeout 5  # 设置超时为5秒，防止某些命令挂起

# 加载配置文件，$curdir/openvpn.env 应该是一个包含一些环境变量的文件
source "$curdir"/openvpn.env

# 创建 easy-rsa 工作目录
mkdir -p /opt/easy-rsa

# 清空 /opt/easy-rsa 目录下的文件，准备初始化 PKI（公钥基础设施）
rm -rf /opt/easy-rsa/*

# 进入 easy-rsa 目录
cd /opt/easy-rsa

# 安装必需的软件包：easy-rsa、openvpn、openssl、expect
sudo yum -y install easy-rsa-3.0.8 openvpn-2.4.12 openssl expect

# 复制 easy-rsa 相关文件到 /opt/easy-rsa 目录
cp -af /usr/share/easy-rsa/3.0.8/* /opt/easy-rsa/

# 复制 vars.example 配置文件，并重命名为 vars 文件，作为 Easy-RSA 的配置文件
cp -af /usr/share/doc/easy-rsa-3.0.8/vars.example /opt/easy-rsa/vars

# 将 Easy-RSA 的 vars 配置文件内容替换成你自己的信息
cat <<EOF > /opt/easy-rsa/vars
if [ -z "\$EASYRSA_CALLER" ]; then
    echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
    echo "This is no longer necessary and is disallowed. See the section called" >&2
    echo "'How to use this file' near the top comments for more details." >&2
    return 1
fi
# 设置证书请求时的相关信息
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Shanghai"
set_var EASYRSA_REQ_ORG "koten"
set_var EASYRSA_REQ_EMAIL "888888@qq.comm"
set_var EASYRSA_NS_SUPPORT "yes"
EOF

echo "finish step 1"

# 创建 Expect 脚本的临时文件并赋予执行权限
touch /tmp/temp_easy_rsa.exp
chmod +x /tmp/temp_easy_rsa.exp

# 初始化 Easy-RSA 公钥基础设施 (PKI)，这将创建 PKI 目录结构
/opt/easy-rsa/easyrsa init-pki

echo "finish step 2"

# 创建并执行 Expect 脚本，自动输入 CA 密钥密码等交互
sudo cat <<EOF > /tmp/temp_easy_rsa.exp
#!/usr/bin/expect
spawn /opt/easy-rsa/easyrsa build-ca

# 输入 CA 密钥的密码
expect "Enter New CA Key Passphrase: "
send "$OPENVPN_PASSWORD\r"

# 再次输入 CA 密钥的密码
expect "Re-Enter New CA Key Passphrase: "
send "$OPENVPN_PASSWORD\r"

# 处理 PEM pass phrase，设置超时避免旧版本无限等待
expect {
    "Enter PEM pass phrase:" {
        send "$OPENVPN_PASSWORD\r"
    }
    timeout {
        puts "No PEM pass phrase prompt detected. Skipping..."
    }
}

# 验证 PEM 密码
expect {
    "Verifying - Enter PEM pass phrase:" {
        send "$OPENVPN_PASSWORD\r"
    }
    timeout {
        puts "No PEM pass phrase prompt detected. Skipping..."
    }
}

# 输入 Common Name（服务器的名称），可以根据需要修改为其他名称
expect "Common Name (eg: your user, host, or server name)"
send "server\r"
expect eof
EOF
# 执行 Expect 脚本
/tmp/temp_easy_rsa.exp

echo "finish step 3"


# 生成服务器的密钥请求，且不需要密码（nopass）
sudo cat <<EOF > /tmp/temp_easy_rsa.exp
#!/usr/bin/expect

# 启动 easyrsa 生成客户端请求
spawn /opt/easy-rsa/easyrsa gen-req server nopass

expect "Common Name (eg: your user, host, or server name)"
send "server\r"

expect eof
EOF
/tmp/temp_easy_rsa.exp


echo "finish step 4"

# 创建并执行 Expect 脚本，自动签署服务器的密钥请求
sudo cat <<EOF > /tmp/temp_easy_rsa.exp
#!/usr/bin/expect
spawn /opt/easy-rsa/easyrsa sign server server
expect "Type the word 'yes' to continue, or any other input to abort."
send "yes\r"
expect "Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:"
send "$OPENVPN_PASSWORD\r"
expect eof
EOF
/tmp/temp_easy_rsa.exp

echo "finish step 5"

# 生成 Diffie-Hellman 密钥交换参数，用于加密传输
# /opt/easy-rsa/easyrsa gen-dh
openssl dhparam -out /opt/easy-rsa/pki/dh.pem 1024

echo "finish step 6"

# 生成客户端的密钥请求，且不需要密码（nopass）
sudo cat <<EOF > /tmp/temp_easy_rsa.exp
#!/usr/bin/expect

# 启动 easyrsa 生成客户端请求
spawn /opt/easy-rsa/easyrsa gen-req client nopass

expect "Common Name (eg: your user, host, or server name)"
send "client\r"

expect eof
EOF
/tmp/temp_easy_rsa.exp


echo "finish step 7"

# 创建并执行 Expect 脚本，自动签署客户端的密钥请求
sudo cat <<EOF > /tmp/temp_easy_rsa.exp
#!/usr/bin/expect
spawn /opt/easy-rsa/easyrsa sign client client
expect "Type the word 'yes' to continue, or any other input to abort."
send "yes\r"
expect "Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:"
send "$OPENVPN_PASSWORD\r"
expect eof
EOF
/tmp/temp_easy_rsa.exp

echo "finish step 8"

rm -f /tmp/temp_easy_rsa.exp

# 保存配置信息并启动服务
bash "$curdir"/save_conf.sh

cp -f /etc/openvpn/server.conf /etc/openvpn/server.conf.bak

echo "finish step 9"

exit 0